Conducting a HIPAA Self-AssessmentUsing Audit Protocol to Guide Compliance Check
The audit protocol used by federal regulators during the initial round of HIPAA compliance audits is a helpful tool for covered entities and business associates that are conducting a risk analysis and beefing up HIPAA compliance efforts, says security consultant Bill Miaoulis. Although the protocol, which is available online for free, will eventually be updated to reflect the HIPAA Omnibus Rule, it's currently an excellent self-assessment tool, especially for risk management, he says [see: HIPAA Audits: More to Come in 2014].
"We really have a huge advantage in the fact that they have actually provided this protocol," Miaoulis says in an interview with Information Security Media Group [transcript below]. "If you were to be subjected to an audit, you could get a feel for how they looked at people in the past," he says. "It really gives a lot of insight into what compliance means."
Miaoulis defines compliance as having a well-documented HIPAA policy and evidence that procedures are being followed. "When the auditors come in, it's not their job to prove you're compliant; it's your job," he says.
In 2012, the HHS Office for Civil Rights audited 115 covered entities during a pilot program. HIPAA compliance audits are slated to resume next year, according to Leon Rodriguez, who heads OCR. The next round of audits will include business associates as well as covered entities.
In the interview, Miaoulis also discusses:
- An example of how the audit protocol can be applied for risk assessments;
- Who within organizations should use the audit protocol;
- Improvements he'd like to see in the protocol when it's updated.
Miaoulis is founder of HIPAA Security and Privacy Advisors in Birmingham, Ala. He has 20 years of experience in healthcare security, and he previously worked in the energy and banking industries. He was the first information security officer at UAB Health Systems in Birmingham, a post he held for almost seven years. He also was corporate information security officer and HIPAA consulting service leader at Phoenix Health Systems. Miaoulis is author of the book, "Preparing for a HIPAA Security Compliance Assessment," published by American Healthcare Information Management Association.
Using Audit Protocol as a Self-Assessment
MARIANNE KOLBASUK MCGEE: How do you suggest the HIPAA audit protocol be used by covered entities? For instance, is this protocol something to be used if they're preparing for an actual OCR audit, or is this protocol something that can be used also as a self-assessment tool to improve their overall HIPAA compliance?
BILL MIAOULIS: The way I suggest you use it is for a self-assessment tool. ... We really have a huge advantage in the fact that [HHS has] actually provided this protocol, so if you were to be subjected to an audit you could get a feel for how they looked at people in the past. That's not a 100-percent predictor of the future, but it certainly shows you what they looked at in the past, what you could expect if you had an audit, and it's just really a valuable tool and everyone should review.
Business Associates, Subcontractors
MCGEE: Under HIPAA Omnibus, business associates and their subcontractors are also directly liable for HIPAA compliance. They too are subject to possible OCR audits and breach investigations. How might this protocol be used by business associates as a compliance tool?
MIAOULIS: It would be similar to what covered entities would utilize to do a self-assessment. But in addition, it would be an education tool for business associates who are just now becoming familiar with many of the HIPAA requirements, because it gives you a little more insight into what the HIPAA rule actually means and what they're looking for. For business associates, I will recommend that they also go to OCR's guidance on HIPAA. There's a series of guidance [documents] that they have also provided to what they're looking for. Specifically for business associates, you would use it to do a self-assessment. Go through it one by one when you create your policies, procedures and practices and say, "Could I survive this audit if it were to happen to me?"
Most Useful Areas of Protocol
MCGEE: The audit protocol covers 169 requirements related to the HIPAA security and privacy rules as well as breach notification. In light of changes under HIPAA Omnibus, including breach notification, what areas of the protocol do you think are most useful for covered entities and business associates?
MIAOULIS: I think we have to go back to what's the foundation of the rule. When you look at the protocol, I tend to focus a little more on the security standards and specifically the security management process, risk analysis and risk management. I think it also helps us with some areas that maybe we were confused about what they might look for. One of the first ones that I looked at was the integrity standard. What would they really be looking at to make sure that I'm meeting the integrity standard? Any area that you're just not as confident on or you need some validation, I would go for those first. Security management, risk analysis and risk management are critical.
MCGEE: Can you provide an example of how the protocol can be applied by an organization to improve HIPAA compliance?
MIAOULIS: Absolutely. I want to start with the one I just talked about, the security management process. ... Conduct an accurate and thorough assessment of potential risk involved in confidentiality, integrity and availability of electronic health information held by the covered entity or business associate. ... Inquire of management as to whether formal and informal policies or practices exist to conduct an accurate assessment. ... Management needs to be aware of what's going on with a risk analysis.
... In the very first two audit protocol lines for risk management we find out they want formal policy and procedures, they want management involvement and they want to make sure you have documentation.
The third line says "evidence of the covered entity risk assessment process." Does it cover everything it's supposed to? Then they ask how often it's done. Is it done on a periodic basis, that it's not a one-time thing? Determine if the covered entity's risk assessment has been conducted on a periodic basis.
The last one on that particular protocol is to determine if the covered entity has identified all systems that contain, process or transmit ePHI. When we look at that, it really gives a lot of insight into what compliance means. I've defined it as ... you have a documented policy and procedure, you have documentation of what's going on and you have evidence that you're following your policies and procedures. I always try to make the point to people that when the auditors come in, it's not their job to prove you're compliant; it's your job to prove you're compliant. Determine through each of the standards how you document that you're complying with risk analysis. It may be that you can show that you've been doing it for a long time. "Here they are; they're in this folder. Here [are] the 15 risk analyses we've been doing. Here's where we identify all of our information." Make sure you have documentation in policies and procedures.MCGEE: Who within an organization should use the protocol?
MIAOULIS: Anyone that has an interest, any stakeholder, but I think a lot of it really depends upon the size of the organization. In a large organization that has may be an internal audit function or a separate ability, you can get someone else to review. If there's someone that is primarily responsible for it, make sure that there's someone else that can take the protocol and say, "Can you do it?" In other words, have a checker. Have someone that you can work with. In a small organization, if you're a small business associate, you may just have to use it with a team approach to go through and say, "Could we meet this?" It could be anyone from an internal auditor to the security officer himself. I find the information so valuable when I read through it. I highly recommend everyone to get it; it's free.
MCGEE: At some point, the Office for Civil Rights will likely update the protocol based on its analysis of the 115 audits conducted under the pilot program in 2012 and also make changes reflecting the changes of HIPAA Omnibus. What's missing from the protocol in your opinion? Looking ahead, what would you like to see added or changed in the protocol?
MIAOULIS: What would be helpful with the protocol ... would be a list of documentation that they request and a list of people that they plan to interview when they come inside. That would give us a better feeling of how that would impact us, who they're specifically talking to and what documentation they're looking for exactly. Do they want to see a copy of all risk analyses? Do they want to see a copy of all policies and procedures? You can pick that out by reading through the protocol. But summary documentation, what we would call an engagement letter, "Here's our initial document request prior to you coming in," would be very helpful because they do issue those and they say, "Get this ready for us; we're coming. We need to see these people." Even just a sample of that would be very helpful.MCGEE: When do expect we might see a new version of the protocol from OCR? Any idea?
MIAOULIS: I have given up predicting, but I would hope that sometime early next year. But I wouldn't let that deter anyone from using what's available now. They'll just tweak it. I don't want to anticipate, having reviewed this pretty thoroughly, that there's going to be any major significant changes. Again, they may add some additional information, but I would think first quarter of next year.